The same week President Donald Trump huddled with top aides in the Situation Room, unable to announce an end to the war with Iran, the price of gasoline in the United States was still 46% higher, the Strait of Hormuz remained blocked, and a quiet battle equally as destructive as any bomb was playing out on millions of American screens.
The weapon: a fake Zoom installer. The target: you.
Between February and April 2026, as U.S. and Israeli warplanes struck Iranian targets and Tehran fired back at American bases across the Middle East, an Iranian hacking group affiliated with the Islamic Revolutionary Guard Corps executed a cyber espionage campaign against U.S. defense, aviation, and telecommunications firms.
The group, tracked by security researchers as Nimbus Manticore, did not rely on sophisticated zero-day exploits or brute force. They relied on what everyday Americans do every morning: checking email, downloading software, and joining a meeting.
Check Point Research, which published a threat intelligence report on the campaign, found that the hackers used trojanized Zoom installers signed with fraudulent but valid SSL certificates. The digital signatures came from legitimate certificate authorities, meaning the malware appeared to Windows security systems as trusted software.
When victims downloaded “Zoominstall64.zip” from fake meeting invitations, they received a real Zoom installer – and a hidden backdoor.
The timing was not accidental. Operation Epic Fury, the U.S.-Israeli military campaign against Iran, launched Feb. 28, 2026.
Within days, Nimbus Manticore shifted tactics. Before the war, the group primarily targeted Israel and the United Arab Emirates with career-themed phishing lures. During the conflict, they expanded to the United States, impersonating domestic airlines and software firms.
The malware, which researchers named MiniFast, showed clear signs of AI-assisted development. The code was exceptionally clean, modular, and included excessive error handling for basic functions such as “GetUserName” – a hallmark of large language model-generated code.
This allowed the hackers to build malware tools rapidly in the middle of a shooting war.
Once installed, MiniFast gave the attackers full remote control.
They could list directories, execute commands, kill processes, upload and download files, create ZIP archives, and even load additional DLLs. The malware disguised its network traffic as a Google Chrome browser and hijacked a legitimate Windows scheduled task named “ZoomUpdateTaskUser” to maintain persistence. To a security analyst, the malicious activity looked like a routine Zoom update.
By April, the group abandoned email lures altogether.
They built a fake website, getsqldeveloper.com, designed to mimic Oracle’s SQL Developer software. Using search engine optimization poisoning – keyword stuffing and dozens of interconnected domains – they pushed the scam site to the top of Bing and DuckDuckGo results for anyone searching for “SQL developer.”
Developers and engineers downloaded the backdoor directly, believing they were getting a legitimate database tool.
The victims included companies in the aviation, telecommunications, and defense sectors across the United States, Europe, and the Middle East. Check Point Research noted that wartime pressures accelerated the group’s capabilities.
What had been a regional espionage operation expanded into a global campaign capable of compromising American firms from inside their own software update routines.
The cyber offensive unfolded as the Trump administration struggled to secure even a temporary ceasefire. On May 29, Trump called a Situation Room meeting to decide on extending a 60-day truce.
The framework agreement would have ended U.S.-Israeli military action in exchange for Iran lifting its blockade of the Strait of Hormuz, a waterway through which roughly 20 percent of the world’s oil flows.
Then, Trump toughened the terms, demanding that Iran destroy its highly enriched uranium and agree never to possess a nuclear weapon – conditions Tehran had previously rejected.
Three officials told the Associated Press that Trump was concerned about unfreezing Iranian funds, a provision he has long criticized President Barack Obama for including in the original nuclear deal. He was also frustrated by how long Iran was taking to respond to U.S. proposals. On Friday, after the Situation Room meeting concluded, a White House official provided no details on whether any agreement had been reached.
Meanwhile, Iranian chief negotiator Mohammad Bagher Ghalibaf posted on social media: “We have no trust in guarantees or words – only actions are the measure. No action will be taken before the other side acts.”
The lack of trust is rooted in recent history.
Iran has been attacked militarily twice over the past year while engaged in negotiations with the United States – once by Israel last summer, and again in late February by the United States and Israel together.
An Iranian official briefed on the talks said Tehran’s deep distrust of the Trump administration has made it difficult for Iran’s leadership to build support for any deal.
That distrust has real-world consequences for American workers. As diplomats haggle over the language of a memorandum of understanding, Nimbus Manticore is not waiting. According to the Check Point report, the hackers have already demonstrated the ability to move from targeted spear-phishing to mass SEO poisoning – a technique that can reach any American searching for common software.
The average retail price of a gallon of gasoline in the United States dropped to $4.35 on Saturday, down 17 cents from a week earlier, according to the American Automobile Association. But that remains 46 percent higher than before the war began, as the Strait of Hormuz blockade disrupts shipping and forces energy facilities offline. Industry analysts warn that the longer the strait remains shut, the heavier the toll on the global economy.
For the American worker sitting at a desk, the connection between a fake Zoom installer and a closed waterway half a world away is not obvious. But it is direct. The IRGC uses cyber operations to pressure the United States economically and psychologically, to gather intelligence on military supply chains and to create chaos that weakens American resolve. The trojanized Zoom meeting invitation is not a sideshow. It is the main event of a hybrid war.
The Treasury Department’s Office of Foreign Assets Control has sanctioned front companies like Mehrsam Andisheh Saz Nik and individuals like Alireza Shafie Nasab for their roles in IRGC cyber campaigns. The Justice Department has unsealed indictments. But sanctions do not remove malware from a compromised laptop. Indictments do not stop a backdoor from exfiltrating defense contractor data.
What stops it is awareness. If you installed Zoom from an unofficial site between February and April of this year, your device may be compromised. The legitimate Zoom installer does not come from a ZIP file in a suspicious email.
The legitimate SQL Developer download does not come from getsqldeveloper.com. And the legitimate ceasefire deal – assuming one ever arrives – will not come from a White House that cannot decide what it wants.
As of Saturday evening, no announcement had emerged from the Situation Room. The war continues. The strait remains blocked. Gas prices remain high. And somewhere in the digital infrastructure of an American aviation firm, a scheduled task named ZoomUpdateTaskUser is quietly reporting back to Tehran.
Discover more from NJTODAY.NET
Subscribe to get the latest posts sent to your email.